It was two weeks ago. I was chatting with the CFO of a major automobile manufacturing company. This is one of the largest companies in the world. I was waxing eloquent about new-age attacks that would affect companies like theirs. He listened intently for a time, flummoxed at how attackers were using every tool at their disposal to steal money and data from companies like his, all around the world. He even admitted that his company had been a victim of a recent spear-phishing attack. It was an interesting discussion till he brought up the worlds “Wow, this is pretty great, but security I guess would be an IT thing…. That’s what happens at our place. Security is IT and we never poke our head into that”, chuckling at his own joke. It was then that something hit me, and hard.
Security is still considered an IT problem and NOT a business problem. Information Security, Hacking and Cyber-threats are just below black-magic and world-wide apocalypse in the list of things that non-IT people don’t quite comprehend. Surely, I felt, this CFO should know of Information Security as any other management focus area within the company like sales, marketing, HR and so on. Sadly, that was not to be. I prodded “Tell me something, you’re the member of your company’s Board of Directors, how often does Data Security feature in those meetings?” He thought for a while and then shook his head “Not that I can think of. We discuss some IT initiatives like SAP integration and so on, but not security, to my knowledge, no.”
At this point I realized one unequivocal truth about our industry. It was a painful one. Information Security, I perceived, to be less about Information and more about IT. Information Security, unfortunately does not have much of a place in the boardroom of the average company. Here are three reasons why I think Information Security must occupy an important seat at your next boardroom discussion.
1. Every Business == IT Business
I hate to begin with cliches, but this one is very apt. IT fuels the modern business. It runs production, marketing, purchasing, sales, and literally any other operation that you can think of. Like it or not, your business runs on IT and IT components and applications can be compromised. Therefore, Information Security is/should be a paramount concern. It is literally as bad as a hospital running out of doctors to perform treatments or a manufacturing company running out of raw material. During an assessment, I was speaking to the CISO of a major Oil and Gas company who said “You know what, nobody cares about Information Security. Think about it. If we don’t use IT tomorrow, they’ll just go back to pen and paper.” I thought that was a silly statement. Pen and paper? Really? That company had automated and integrated every bit of their upstream operations with ICS systems, ERPs and so on. If they had a Data breach, it would have
been a long (really long) time for them to go back to “pen and paper” and their operations would have seriously seriously slowed down. Don’t kid yourself. Every business is in the IT business. And in the IT business, any business can/probably/would get hacked. Deal with it.
2. Security Risk is a subset of Operational Risk
Every enterprise today wants to be on the top of “Operational Risk”. Most boards and CXOs spend an immense amount of time and energy understanding and attempting to be on top of Operational Risk, a.k.a “What if” analysis. Expensive consultants are engaged to provide fancy reports with graphs on “Operational Risk”. Not including Information Security Risk in that mix is a recipe for disaster. For example, you are an automobile manufacturer who’s developing a new car that is revolutionary and would change the market forever. Well, you have probably analyzed operational risk to death. But what about that designer who is working on the core design of the vehicle receiving a phishing email from a competitor and exposing your critical business secrets to your competition, consequently blowing your chances of being a market leader. Information is power.
Information Security is a way of protecting that power. You cannot afford to ignore it, especially in the boardroom.
3. Security is a Keystone Habit
According to Charles Duhigg’s well-researched book “The Power of Habit”, Keystone habits are habits that cause a chain reaction. A Keystone Habit is a single habit that can affect change across different systems, using a series of “small-wins” and energy across the system. He uses a compelling of how Alcoa’s legendary CEO Paul O’Neil was able to convert Alcoa (The Aluminium Corporation of America), not by traditional methods like cost cutting and innovative products, but by focusing on one-single habit, Worker Safety. Using this Keystone Habit, Alcoa (where workers handled molten metal and dangerous substances) not only became a Zero-Injury workplace but also became a profit-making machine thanks to the single Keystone Habit of Worker safety.
Information Security has a very similar nature. I have seen companies that install strong technology, process and people controls from an Information Security Standpoint grow into serious profit-making machines that are long-standing and durable. Security, if implemented correctly instills a sense of discipline and culture that can have huge ripple benefits to the company on the whole. While most people (incorrectly) view Information Security as a cost-center and a “support” department. I believe that gelling information security into the organization’s culture correctly and deliberately can have huge productivity and efficiency rewards for the organization.
Information Security is becoming increasingly important. Attacks against banks and companies like Target and Home Depot have shown people and companies that they are not necessarily as safe as they thought against cyber threats. However, if you truly want to make information security an integral cultural aspect of your company, you need to include it in the Board Room. Your company’s leaders and management (across departments and spheres) must be able to understand and appreciate information security risks and handle them like they would any other management system.